Abstract
The differential characteristic search problem is converted into mixed integer linear programming (MILP) model to get the bound against differential attack. The difference distribution table is used to write the linear inequalities for MILP modeling of S-box. To construct a reduced set of such inequalities, we present the approaches based on Quine-McCluskey(QM) and Espresso algorithms that are used for active S-box minimization and probability optimization respectively. These approaches are used to search the differential characteristics for lightweight block cipher PIPO-64/128. There are 20621 inequalities in 23 variables corresponding to possible difference transitions in the DDT and these are minimized to 6035 inequalities. MILP model based on these inequalities is used to optimize the probability of differential and impossible differential characteristics for PIPO-64/128 reduced to 9 and 4 rounds respectively. We construct an iterative 2-round related-key differential characteristic with the probability of \(2^{-4}\) and that is used to present a full round related-key differential distinguisher with the probability of \(2^{-24}\). We develop a key recovery attack using related keys on full round PIPO-64/128 with the data complexity of \(2^{32}\). We present a major collision in PIPO-64/128 which produces the same ciphertext (C) by encrypting the plaintext (P) under two different keys.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
In this calculation, we consider a pair (a, b) same as (b, a).
References
Abdelkhalek, A., Sasaki, Y., Todo, Y., Tolba, M., Youssef, A.M.: MILP modeling for (large) S-boxes to optimize probability of differential characteristics. IACR Trans. Symmetric Cryptol. 2017(4), 99–129 (2017). ISSN 2519-173X, https://doi.org/10.13154/tosc.v2017.i4.99-129
Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994). https://doi.org/10.1007/BF00203965
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_2
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like Cryptosystems. J. Cryptol. 4, 3–72 (1991). Springer
Biham, E., Shamir, A.: Differential cryptanalysis of the full 16-round DES. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 487–496. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_34
Bogdanov, A.: Analysis and design of block cipher constructions. Ph.D. thesis (2009)
Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Boura, C., Coggia, D.: Efficient MILP modelings for S-boxes and linear layers of SPN ciphers. IACR Trans. Symmetric Cryptol. 3, 327–361 (2020)
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
‘CryptoMiniSat5’. https://www.msoos.org/cryptominisat5
IBM ILOG: IBM ILOG CPLEX Optimization Studio V12.7.0 documentation (2016). Official webpage https://www-01.ibm.com/software/websphere/products/optimization/cplex-studio-community-edition/
Espresso Logic Minimizer. https://ptolemy.berkeley.edu/projects/embedded/pubs/downloads/espresso/
Gerault, D., Lafourcade, P., Minier, M., Solnon, C.: Revisiting AES related-key differential attacks with constraint programming. Cryptology ePrint Archive (2017)
Gohr, A.: Improving attacks on round-reduced Speck32/64 using deep learning. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 150–179. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_6
Gurobi Optimizer 7.5.2. https://www.gurobi.com
Hays, H.M.: A Tutorial on linear and differential cryptanalysis. Cryptologia 26(3), 188–221 (2002)
Kim, H., Jeon, Y., Kim, G., Kim, J., Sim, B.-Y., Han, D.-G., Seo, H., Kim, S., Hong, S., Sung, J., Hong, D.: PIPO: a lightweight block cipher with efficient higher-order masking software implementations. In: Hong, D. (ed.) ICISC 2020. LNCS, vol. 12593, pp. 99–122. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68890-5_6
Knudsen, L., Robshaw, M.J.B.: Block Cipher Companion. Springer, Heidelberg (2011). ISBN 978-3-642-17341-7. https://doi.org/10.1007/978-3-642-17342-4
Kumar, M., Suresh, T.S., Pal, S.K., Panigrahi, A.: Optimal differential trails in lightweight block ciphers ANU and PICO. Cryptologia 44(1), 68–78 (2020)
Kumar, M., Yadav, T.: MILP based differential attack on round reduced WARP. In: Batina, L., Picek, S., Mondal, M. (eds.) SPACE 2021. LNCS, vol. 13162, pp. 42–59. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-95085-9_3
Kelsey, J., Schneier, B., Wagner, D.: Related-key cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 233–246. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0028479
Logic Friday. https://sontrak.com/
Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053451
Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34704-7_5
National Institute of Standards and Technology: Lightweight Cryptography, Finalists. NIST (2021). https://csrc.nist.gov/projects/lightweight-cryptography/finalists
National Institute of Standards and Technology: Federal Information Processing Standards Publication 197: Advanced Encryption Standard (AES). NIST (2001)
Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_9
Sun, S., Hu, L., et al.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties. Cryptology ePrint Archive, Report 2014/747 (2014)
Sasaki, Yu., Todo, Y.: New differential bounds and division property of Lilliput: block cipher with extended generalized feistel network. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 264–283. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_15
Sasaki, Yu., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_7
Sasaki, Yu., Todo, Y.: New algorithm for modeling S-box in MILP based differential and division trail search. In: Farshim, P., Simion, E. (eds.) SecITC 2017. LNCS, vol. 10543, pp. 150–165. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69284-5_11
Sun, S., et al.: Analysis of AES, SKINNY, and others with constraint programming. IACR Trans. Symmetric Cryptol. 1, 281–306 (2017)
Yadav, T., Kumar, M.: Differential-ML distinguisher: machine learning based generic extension for differential cryptanalysis. In: Longa, P., Ràfols, C. (eds.) LATINCRYPT 2021. LNCS, vol. 12912, pp. 191–212. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88238-9_10
Zhu, B., Dong, X., Yu, H.: MILP-based differential attack on round-reduced GIFT. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 372–390. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_19
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
1.1 A \(C = E(P,K) = E(P,K^{'})\) where \(K^{'} = K \oplus \varDelta K\) K = 0x6DC416DD779428D27E1D20AD2E152297 \(\varDelta K\) = 0x00400008010010000020000020000000
No. | Plaintext (P) | Ciphertext (C) |
---|---|---|
1 | 0xFFEAF697D7FCE742 | 0xCDE57DF09ECF4F7D |
2 | 0xFCFFE1E57B3EE1B0 | 0x964DFE673B256413 |
3 | 0xFE9DAF4B7CDF3C62 | 0x5A204F91F5B3BEE2 |
4 | 0xBFE622F4EDF3FF2A | 0x2C41558C8D728AD0 |
5 | 0xE7FFA8E4E8F95AF5 | 0xEB10BDFF059CF6A0 |
6 | 0xBDFDE7BAFFF6E73E | 0x009AEE178347B174 |
7 | 0x7FFB2EFE657B19E7 | 0xD387F51CC4D0755A |
8 | 0x2FF9393C75FB73F1 | 0x46B43D51ABE5146D |
9 | 0x6EFE60A8EFFF5F2F | 0x4F687CEC564569ED |
10 | 0xF8EFFEB4EFFC9A70 | 0x923B7FDBAE0812CC |
11 | 0xFD976646A1A3B40C | 0xC433269EE6751443 |
12 | 0x6FF431B77B748CB5 | 0x5041B64C120B2673 |
13 | 0xE3EBED217F6FEB3F | 0x56072F13AA0DB152 |
14 | 0xE35BF593EB9D32F0 | 0x1046EFDED93A860F |
15 | 0xFFF76DCC8F77FA1B | 0x73D7C7FFE4A78EF6 |
16 | 0x77FF282B3F7F8121 | 0xAD7D75F547410892 |
17 | 0x3E6FAB372BFB5F23 | 0x17C097CDE69D86BA |
18 | 0xEFFABDB4F6F7032E | 0x98731593F9EFC0D7 |
19 | 0x75926BBA4F77726F | 0xDF4974E78B9FEC13 |
20 | 0xEBE465797D6BAD63 | 0x7432FC827038315B |
1.2 B MILES: MInimized Linear inEqualities for Large S-Boxes
We present expresso based tool MILES to generate the linear inequalities for larges S-boxes and this tool is based on the Espresso algorithm [12]. The S-box is given as an input to the tool and it outputs a minimized set of linear inequalities that is required to model the MILP problem. MILES is the first tool that uses the full DDT of 8-bit S-box to generate the linear inequalities. In MILES, there are four processes which are applied sequentially to generate the minimized linear inequalities. These process are described as follows:
-
1.
DDT generation. In this process, MILES takes m-bit S-box (m\(\ge \)3) as input and generates a DDT of the S-box. The DDT (\(2^m\times 2^m\)) is 2-Dimensional array where row indices (y-axis) define input difference while column indices (x-axis) define the output difference. We define a function \(f_{i,j}\) to represent the DDT of S-box which provides the number of occurrences of output difference \(\varDelta _j\) corresponding to input difference \(\varDelta _i\) (Eq. 1).
$$\begin{aligned} f_{i,j}= Frequency_{\varDelta _i \rightarrow \varDelta _j} \text {where} \text { } 0 \le i,j \le m \end{aligned}$$(4)This DDT is used as an input in the next process.
-
2.
DDT to truth table conversion. In this process, the input DDT is converted into a truth table. This truth table specifies the input and output points of the DDT as input variables. To simplify it, we specify only non-zero entries of the DDT and corresponding output variable as 1. MILES can generate three kinds of truth tables (\(\star \)-TT,p-TT,f-TT) from the DDT. The \(\star \)-TT table corresponds to the non-zero entries in the DDT and p-TT corresponds to the non-zero entries in DDT for a specific probability (p). The f-TT table corresponds to the non-zero entries with extra input variable for each probability.
-
3.
Truth table minimization. MILES interfaces with Espresso to perform minimization of the truth table. The output of minimization is TT\(_{min}\) which is used to generate the minimized linear inequalities. The TT\(_{min}\) is similar to the truth table and it contains an additional symbol (‘−’). The output variable in TT\(_{min}\) is independent of input variable corresponding to this additional symbol. The minimization process can be performed with various modes available in Espresso algorithm. These options are chosen in MILES as minimization strategy. These strategies are problem specific and a particular strategy may not provide best solution for all problems. The minimized truth tables corresponding to \(\star \)-TT, p-TT, and f-TT are represented as \(\star \)-TT\(_{min}\), p-TT\(_{min}\), and f-TT\(_{min}\) respectively.
-
4.
Linear inequalities generation. After minimization process, MILES generate the linear inequalities. Each linear inequality corresponds to one entry in TT\(_{min}\). If a value in the entry is 0 then it is expressed as variable x and if it is 1 then it is expressed as \(1-x\). The value ‘−’ in the TT\(_{min}\) does not contribute in the inequality generation process.
1.3 C Example: Linear Inequalities Generation using MILES
We describe the process to generate the linear inequalities for a 3-bit S-box (Table 12). The DDT (Table 13), f-TT (Table 14), and f-TT\(_{min}\) (Table 15) are generated using MILES. The set of minimized linear inequalities for this S-box is given in Table 16.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Yadav, T., Kumar, M. (2022). Modeling Large S-box in MILP and a (Related-Key) Differential Attack on Full Round PIPO-64/128. In: Batina, L., Picek, S., Mondal, M. (eds) Security, Privacy, and Applied Cryptography Engineering. SPACE 2022. Lecture Notes in Computer Science, vol 13783. Springer, Cham. https://doi.org/10.1007/978-3-031-22829-2_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-22829-2_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22828-5
Online ISBN: 978-3-031-22829-2
eBook Packages: Computer ScienceComputer Science (R0)